#!/bin/bash
System_Security(){
#锁定无用账户
for Lock_USER in `cut -d ":" -f 1 /etc/passwd | egrep -v "root|operation|developer|admin"`
do
    #查看账户状态
    passwd -S ${Lock_USER}
    #锁定密码
    usermod -L $Lock_USER || passwd -l $Lock_USER
    #解锁密码
    #usermod -U $Lock_USER || passwd -u $Lock_USER
    if [ $? = 0 ];then
        echo "The ${Lock_USER} account is locked"
    else
        echo "The ${Lock_USER} account is not locked"
    fi
done

#针对新用户，进行口令生存周期控制
#超过30天必须修改密码才能进行登录
sed -i.bak "s/^PASS_MAX_DAYS.*/PASS_MAX_DAYS\ \ \ 30/" /etc/login.defs

#下次登录时，必须更改密码
#chage -d 0 USER_NAME


#设置口令复杂度
sed -i.bak '3a password    required      pam_cracklib.so  try_first_pass retry=3 dcredit=-1 lcredit=-1 ucredit=-1 ocredit=-1 minlen=10' /etc/pam.d/system-auth



#限制登录超时,命令历史记录清除
sed -i.bak '/^HISTSIZE/a\export TMOUT=600' /etc/profile
echo -e "history -c\nclear" >> ~/.bash_logout



#禁止root用户进行登录
#添加普通用户
#useradd admin && echo "admin:6qA@666666" | chpasswd
#给普通用户授权,上个脚本已经给admin授权了
# sed -i.bak '/^root/a\admin  ALL=(ALL)       ALL' /etc/sudoers

#修改root用户禁止远程登录到系统
#echo "PermitRootLogin no" >> /etc/ssh/sshd_config
sed -i.bak "s/^PermitRootLogin.*/PermitRootLogin no/" /etc/ssh/sshd_config
#指定允许远程登录的用户.
echo "AllowUsers admin" >> /etc/ssh/sshd_config
#echo "AllowGroups admin" >> /etc/ssh/sshd_config

#最大认证尝试次数，最多可以尝试3次输入密码
echo "MaxAuthTries 3" >> /etc/ssh/sshd_config

#克隆会话最大连接
echo "MaxSessions 5" >> /etc/ssh/sshd_config

#是否反解DNS，如果想让客户端连接服务器端快一些，这个可以改为no
#echo "UseDNS no" >> /etc/ssh/sshd_config

##是否允许使用基于密码的认证。默认为"yes"。
#PasswordAuthentication yes
#sed -i "s/^PasswordAuthentication.*/PasswordAuthentication no/" /etc/ssh/sshd_config

#(允许空口令吗) 拒绝用户登录（一般开启公钥验证关闭用户登录）
echo "PermitEmptyPasswords no" >> /etc/ssh/sshd_config
#修改SSH Port
echo "Port 65534" >> /etc/ssh/sshd_config
#systemctl restart sshd

#登录警告提示(在初始化的时候完成了)
#cat > /etc/motd << EOF
#Warning!  If unauthorized, illegal login system, please quit immediately!!
#Your system fingerprint has been recorded!!
#EOF
#
#cat > /etc/issue << EOF
#Warning!  If unauthorized, illegal login system, please quit immediately!!
#Your system fingerprint has been recorded!!
#EOF

#限制umask的值(慎用)
#echo "umask 0777" >> /etc/bashrc


#限制gcc
#chmod 000 /usr/bin/c89
#chmod 000 /usr/bin/c99
#chmod 000 /usr/bin/cc
#chmod 000 /usr/bin/gcc
#chmod 000 /usr/bin/gcc-**
#groupadd compilerGroup
#chown root.compilerGroup /usr/lib/gcc
#chmod 0075 /usr/bin/gcc


#锁定系统文件（初始化已完成）
#chattr +i /sbin/
#chattr +i /usr/sbin/
#chattr +i /bin/
#chattr +i /sbin/
#chattr +i /usr/lib
#chattr +i /usr/lib64/
#chattr +i /usr/libexec/
#chattr +i /etc/passwd /etc/group /etc/shadow /etc/gshadow

#chattr -i /sbin/
#chattr -i /usr/sbin/
#chattr -i /bin/
#chattr -i /sbin/
#chattr -i /usr/lib
#chattr -i /usr/lib64/
#chattr -i /usr/libexec/
#chattr -i /etc/passwd /etc/group /etc/shadow /etc/gshadow

#限制日志文件(初始化已完成)
#chattr +a /var/log/dmesg /var/log/cron /var/log/lastlog /var/log/messages /var/log/secure /var/log/wtmp
}
